GDPR compliance does not rest just with IT – it is everyone’s responsibility. Organizations can help their employees comply with the new regulation and protect against breaches by developing a comprehensive communication and training strategy. In fact, the GDPR requires that companies train their workforces on how to handle personal data under the new law. For training to be effective, it should not be limited to an annual off-the-shelf online course. Instead, training should begin at the top of each organization with a demonstrated commitment to creating awareness and a compliant culture, whether through townhalls or other company-wide communications. Supplement online training with in-person role-based training tailored to meet each functional area’s unique requirements.

Training, however, is not enough. With Privacy by Design now mandated by the GDPR, messages about information protection must be integrated throughout the business. This begins with emphasizing the value of information protection in the Code of Conduct and Ethics. Put this language into practice by embedding privacy and security in operational procedures, aligning it to business goals, and measuring it regularly. Encourage employees to champion information protection by inviting them to the conversation.

With May 25th just around the corner and 59% of U.S. employees reporting they know little to nothing about GDPR, there is still much more work to be done in creating employee awareness. And with fines of up to 4% of annual global revenues or €20 Million (whichever is greater) for non-compliance, lack of awareness could prove to be costly. Organizations with any questions about the applicability of the GDPR to their activities or how to prepare should contact their regular Fisher Phillips attorney or any of the attorneys in our Data Security and Workplace Privacy Group.

The primary purpose of the GDPR is to provide EU citizens with greater control over how their personal data is collected, protected and used. There must be a legitimate and lawful reason for collecting data and limited to the minimum necessary information for the purpose for which data are collected. Data must be deleted when that purpose has been achieved.

The definition of personal data under the GDPR is extremely broad and includes any information relating to an identified or identifiable natural person (e.g., addresses, telephone numbers, email addresses, bank information, credit card details, photos, posts on social media websites, medical information, and even an IP address). There is also a separate definition for “sensitive personal data” (e.g., racial or ethnic origins, political opinions, physical or mental health and criminal history) which is entitled to even greater protection.

Companies which are in compliance with the existing Data Protection Act (DPA) certainly have a head start as not everything has changed, but most companies will have to implement additional privacy protections and adopt comprehensive data protection strategies to comply with the more expansive provisions of the GDPR. The following are steps which companies should consider taking now to prepare for implementation of the GDPR.

• Data Protection Officer (DPO). The GDPR requires that companies hire a DPO if they engage in regular, systematic collection or storage of sensitive customer data. Even if not required, it would be a good idea for most companies to have a DPO with sufficient expertise to guide compliance efforts.
• Data Breach Notification Requirement. The GDPR requires that companies report data breaches to authorities and affected customers within 72 hours of becoming aware of the breach. Thus, companies should have an incident response team in place and be prepared with carefully crafted messaging.
• Train Your Workforce. The GDPR requires that companies raise awareness of and train their workforces on how to handle personal data under the new law.
• Obtain Consent and Provide Information. Organizations must obtain consent before any data are collected and provide customers (including website visitors) with detailed information on data that are collected and how the data will be used.
• Institute Procedures for Deletion of Personal Data Upon Request. Under existing law, organizations are required to delete personal data only when it causes substantial damage or distress. Under the new GDPR, an EU citizen may request that all data collected on them be permanently deleted if the information is no longer needed for the purpose for which is was originally collected or simply when consent to use the data is withdrawn.

With the enforcement date of the GDPR only seven months away, organizations should start assessing their policies and procedures so that they are not caught short when the law goes into effect. Organizations with any questions about the applicability of the GDPR to their activities or how to prepare should contact their regular Fisher Phillips attorney or any of the attorneys in our Data Security and Workplace Privacy Group.

Did you like this article? Check out these related posts:

• It’s Time to Wake Up & Figure Out How GDPR Affects You!
• Cloud Computing Crash Course: Location, Location, Location

As I’ve spoken with people (security people and “civilians”), I’ve found many who had no idea that the GDPR was a thing.  I know Americans tend to have a very US-centric view of the world, but the GDPR is critical for any business with a presence, customers, or clients in or from the EU.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC with an effective date of 25 May 2018 (so about [half] a year to get ready).

The GDPR clearly expresses the central difference between the views of American and EU.  The GDPR “[p]rotects [the] fundamental rights and freedoms of natural persons and in particular their right to protection of personal data.”

In the US, personal data is typically seen as the property of the holder of the data.  The EU expressly views personal data as the property of the person.  This difference makes the GDPR distinct from US data breach notification laws.

There are a number of key items to review in the GDPR:

• Increases extra-territorial applicability
• Conditions for consent strengthened
• Privacy policies may “no longer be able to use long illegible terms and conditions full of legalese . . . the request for consent must be given in an intelligible and easily accessible form. . .”
• Breach notification must be made within 72 hours
• The GDPR guarantees the Data Subjects’ Right to Access.  The Data Subject may:

• “Obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. . .
• Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.”“Data Subjects have the right to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.”So, get ready folks.  You don’t have much time to explore and internalize the GDPR.
• Non EU companies that do business in the EU or have customers that are citizens of the EU or live in the EU will have to comply with these regulations for their EU data subject.  Any non-compliant organizations will face heavy fines.
• The GDPR also formalizes the “Right to be Forgotten”

“Data Subjects have the right to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.”

Non EU companies that do business in the EU or have customers that are citizens of the EU or live in the EU will have to comply with these regulations for their EU data subject.  Any non-compliant organizations will face heavy fines.

So, get ready folks.  You don’t have much time to explore and internalize the GDPR.